Q. WHAT DOES HIPAA PRIVACY MEAN TO GROUP HEALTH PLANS?
Q. WHAT DOES NON-COMPLIANCE MEAN?
Q. ARE GROUPS SUBJECT TO THE HIPAA PRIVACY REGULATION?
Q. HOW SHOULD A HEALTH PLAN DETERMINE WHAT RECEIPTS TO USE TO DECIDE WHETHER IT QUALIFIES AS A 'SMALL HEALTH PLAN'?
Q. HOW DOES HIPAA AFFECT FAMILY AND MEDICAL LEAVE ACT PROCESS?
Q. HOW WILL HIPAA IMPACT WORKERS’ COMPENSATION?
Q. HOW DOES HIPAA INFLUENCE RETURN TO WORK AND MODIFIED DUTY?
Q. WHAT DOES HIPAA PRIVACY MEAN TO GROUP HEALTH PLANS?
A. The HIPAA Privacy Regulations will significantly affect Group Health Plans. The degree of this impact will greatly depend on whether the Group Health Plan is fully-insured or self-funded for its health care benefits. Another variable affecting the impact of HIPAA compliance on groups is the amount of PHI that the Group Health Plan elects to receive.
RETURN TO TOP
Q. WHAT DOES NON-COMPLIANCE MEAN?
A. Group Health Plans should be aware that non-compliance with the Regulation could mean both civil and criminal penalties. Group Health Plans should familiarize themselves with the Privacy Regulation and how this will impact their day to day operations.
RETURN TO TOP
Q. ARE GROUPS SUBJECT TO THE HIPAA PRIVACY REGULATION?
A. Most Group Health Plans (with the exception of self-administered Group Health Plans with less than 50 participants and certain government-funded plans) are Covered Entities as defined by the Privacy Regulation. There is no distinction in the definition of Group Health Plan between fully-insured groups and self-funded groups. Therefore, Group Health Plans are subject to the Privacy Regulation. However, there are exceptions in the Regulations that allow groups, under certain circumstances, to both limit their exposure to the penalties for non-compliance mentioned above and reduce the level of effort needed to comply.
RETURN TO TOP
Q. HOW SHOULD A HEALTH PLAN DETERMINE WHAT RECEIPTS TO USE TO DECIDE WHETHER IT QUALIFIES AS A 'SMALL HEALTH PLAN?
A. A small health plan is defined at 45 C.F.R.§ 160.103 as “a health plan with annual receipts of $5million or less.”
Health plans that report receipts to the IRS on identified tax forms.
Health plans that file certain federal tax returns and report receipts on those returns should use the guidance provided by the Small Business Administration at 13 C.F.R. § 121.104 to calculate annual receipts.
Health plans that do not report receipts to the IRS – for example, ERISA group health plans that are exempt from filing income tax returns – should use proxy measures to determine their annual receipts. Fully insured health plans should use the amount of total premiums which they paid for health insurance benefits during the plan’s last full fiscal year. Self-insured plans, both funded and unfunded, should use the total amount paid for health care claims by the employer, plan sponsor or benefit fund, as applicable to their circumstances, on behalf of the plan during the plan’s last full fiscal year. Those plans that provide health benefits through a mix of purchased insurance and self-insurance should combine the proxy measures to determine their total annual receipts.
RETURN TO TOP
Q. HOW DOES HIPAA AFFECT FAMILY AND MEDICAL LEAVE ACT PROCESS?
A. Employers routinely obtain medical certifications under the Family and Medical Leave Act (“FMLA”). These forms are completed by an employee’s treating health care provider to verify the existence of a qualifying “serious health condition” under the FMLA. The U.S. Department of Labor issued regulations under the FMLA that specifically allow this inquiry and include a form medical certification. Completed Medical Certification forms often contain personal medical information.
Will the HIPAA privacy regulations affect these processes? Will it make a difference if the health care provider completing the form is the treating provider, as compared to an independent medical examiner retained by the employer for a second or third opinion?
A covered entity will not be permitted to disclose the information that would be required in these circumstances directly to an employer without a HIPAA compliant authorization. For health care providers, it will not matter whether the provider is the treating physician or a provider retained to render a second or third opinion. Also, the same restrictions would come into play when the employer, through its health care representative, seeks clarification of an FMLA medical certification. Therefore, employers should modify their FMLA medical certification processes to include a HIPAA compliant authorization form.
If an employee refuses to authorize the release of this medical information, he/she would not be able to submit a timely FMLA medical certification to substantiate the need for leave. Employers should consider amending their FMLA policies to provide that employees are required to complete an authorization for release of information on the FMLA medical certification form.
RETURN TO TOP
Q. HOW WILL HIPAA IMPACT WORKERS’ COMPENSATION?
A. Under state law, employers are required to provide workers’ compensation benefits to employees who are injured, become ill or die in the course of employment. Employers may insure or self-insure these benefits. During the course of a workers’ compensation claim, employers will seek to verify the existence, nature, and cause of the injury/illness by obtaining information about the medical condition in question. This information may come from the employee’s treating physician or panel doctor; from the employer’s insurance carrier or third-party administrator; and/or from an independent medical examiner.
HIPAA compliant authorization would be required for the release of the employee’s medical information to the employer or a third party. However, there is an exception in the HIPAA regulations that would permit a health plan to disclose information for purposes of workers’ compensation benefits when legally required. This exception is important because workers’ compensation programs are not considered health plans, whether or not they provide certain medical or prescription benefits.
The preamble to the HIPAA regulations clarifies that the privacy rules are not intended to disrupt existing workers’ compensation systems as established by state law, including the flow of health information needed to process claims or to coordinate care under the workers’ compensation system. Under this broad reading of permitted disclosures, we would expect the release of workers’ compensation information to a workers’ compensation carrier or administrator for the purposes of processing claims for benefits, to be exempt from HIPAA’s privacy rules, including the requirement that the transaction be conducted pursuant to a HIPAA compliant authorization.
The rules offer less guidance as to whether authorization would be required for a subsequent or contemporaneous release of the same medical information to the employer. If the insurance carrier or administrator for the workers’ compensation program subsequently sends the medical information to the insured employer, a HIPAA-compliant authorization form may not be required because workers’ compensation programs are not considered covered health plans and, therefore, are not subject to HIPAA. A contemporaneous release of the medical information to the employer may prove more problematic. If that disclosure is not legally required for claims processing or care coordination, it would fall outside the exemption. The more explicitly a state workers’ compensation statute authorizes the employer to receive personal health information, the more comfort carriers, administrators and health plans would have in releasing the information to an employer.
In the absence of further guidance on these issues, employers may consider introducing HIPAA authorization forms into their workers’ compensation programs. This step would eliminate any HIPAA constraints, real or imagined, that health and workers’ compensation plan administrators might see as preventing them from providing employers with full access to medical reports and underlying data in connection with the payment of workers’ compensation claims. This issue becomes particularly important for self-insured workers’ compensation programs under which employers tend to play a more active role.
As an initial step, employers may wish to engage their insurance carriers and/or third-party administrators in a dialogue to determine what steps, if any, they are taking to comply with the HIPAA privacy rules and whether they anticipate any problem with providing personal health information regarding workers’ compensation claimants to employers.
RETURN TO TOP
Q. HOW DOES HIPAA INFLUENCE RETURN TO WORK AND MODIFIED DUTY?
A. Employers frequently seek medical information when an employee is prepared to return to work following a medical leave. In some cases, a doctor’s note simply stating that an employee can resume regular duties will suffice. In other cases, especially when work limitations are imposed, an employer will seek a medical evaluation of the employee’s limitations and ability to work in a modified duty position. A request to a covered entity to release this information to an employer should be accompanied by a HIPAA compliant authorization. Authorization also should be obtained even for the simple note.
RETURN TO TOP
If you have any questions or complaints, please contact HIPAA Privacy and Compliance Office by phone: 972-687-1863 or email:
.
RETURN TO TOP
Disclaimer: EDH obtains its information from sources it believes to be reliable. However, due to human and mechanical errors as well as other factors, EDH makes no representations or other warranties, express or implied, to the accuracy of the information. This information is provided for discussion purposes only. It does not constitute legal advice and is not intended for use without advice of legal counsel. It is also not a substitute for legal or other professional advice. Users should consult their own legal counsel for advice regarding the application of the law and this document as it applies to the HIPAA regulations.
